Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are some forwarded Windows events getting dropped and I get error "Failed to get the (record id, publisher name, level id) from event..."?

a212830
Champion
‎05-24-2016 12:28 PM

Hi,

We have Splunk reading forwarded Windows events, and it appears to dropping events. Looking at the logs, I see the following on a semi-regular basis:

05-24-2016 15:02:54.357 -0400 WARN  WinEventLogChannel - getEventsNew: Failed to get the record id from event, channel='ForwardedEvents', 'The operation completed successfully.'.
05-24-2016 15:02:54.357 -0400 WARN  WinEventLogChannel - getEventsNew: Failed to get the publisher name from event, channel='ForwardedEvents', 'The operation completed successfully.'.
05-24-2016 15:02:54.357 -0400 WARN  WinEventLogChannel - getEventsNew: Failed to get level id from event, channel='ForwardedEvents', 'The message id for the desired message could not be found.'.

Has anyone ever seen this behavior before?

0 Karma
Reply

rdjoraev_splunk
Splunk Employee
Splunk Employee
‎09-23-2016 03:21 PM

This error message means that Splunk was unable to decode record_id from the event (unexpected type). Therefore, the root cause of this issue is specific to the file contents.

WARN WinEventLogChannel - getEventsNew: Failed to get the record id from event, channel = '\file path\ ...\filename*.evtx' 'The operation completed successfully.'

It could have a couple of possible root causes:

1) It could be specific to a file context, that needs to be reviewed and analized.

OR

2)
Make sure that you are not monitoring evtx stored files.

Event log monitor configuration values:
Windows event log (*.evt) files are in binary format. They can't be monitored like a normal text file. The splunkd service monitors these binary files by using the appropriate APIs to read and index the data within the files.

In Splunk manual on http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/MonitorWindowseventlogdata
in section,
Index exported event log (.evt or .evtx) files
it states:

To index exported Windows event log files, use the instructions for monitoring files and directories to monitor the directory that contains the exported files.
and

Caution: Do not attempt to monitor a .evt or .evtx file that is currently being written to; Windows does not allow read access to these files. Use the event log monitoring feature instead.
We support indexing of .evt and .evtx files once they are exported, but do not monitor them as normal text-based logs. This explains why the file gets indexed and is not touched until splunk gets restarted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...